KR101747144B1 - Method and system for preventing rogue access point - Google Patents
Method and system for preventing rogue access point Download PDFInfo
- Publication number
- KR101747144B1 KR101747144B1 KR1020160013495A KR20160013495A KR101747144B1 KR 101747144 B1 KR101747144 B1 KR 101747144B1 KR 1020160013495 A KR1020160013495 A KR 1020160013495A KR 20160013495 A KR20160013495 A KR 20160013495A KR 101747144 B1 KR101747144 B1 KR 101747144B1
- Authority
- KR
- South Korea
- Prior art keywords
- unauthorized
- blocking
- information
- unlicensed
- user terminal
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/02—Access restriction performed under specific conditions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
- H04W84/10—Small scale networks; Flat hierarchical networks
- H04W84/12—WLAN [Wireless Local Area Networks]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The present invention relates to an unauthorized AP (Access Point) blocking system, wherein the system includes an unauthorized AP detection sensor for detecting an unauthorized AP in the assigned network and transmitting the detected unauthorized AP information; And a control unit for identifying the unlicensed AP based on information of the unlicensed AP transmitted from the unauthorized AP detection sensor and for detecting a service function of the identified unauthorized AP so that connection between a user terminal connected to the identified unauthorized AP and the unlicensed AP is blocked, And a blocking server for performing an attack to stop the server.
Description
The present invention relates to an unauthorized AP blocking method and system, and more particularly, to a method and system for blocking an unauthorized AP using a network based on the IEEE 802.11w standard.
Each company and organization is using the Wireless Intrusion Prevention System (WIPS) system to protect their networks. In a conventional IEEE 802.11 WIPS system, a connection between an unauthorized AP and a user terminal connected thereto is blocked by a network sensing of a WIPS sensor, such as MAC address, SSID, BSSID, and channel of a terminal connected to an unauthorized AP And generates and transmits a management frame such as disassociation information and deauthentication information using the unauthorized AP and the MAC address of the user terminal among the collected information to perform a blocking operation do. At this time, the unauthorized AP and the user terminal having received the blocking frame recognize the blocking frame as a normal connection termination request and terminate the connection.
However, the network environment based on the IEEE 802.11w standard method operates to check the integrity of interception frames through MIC (Message Integrity Code). Therefore, if the WIPS sensor can not know the MIC between the unauthorized AP and the user terminal, it can not block the connection between the unauthorized AP and the user terminal.
In addition, when a separate agent (Agent) is installed in the user terminal to acquire the MIC, there arises a problem that the development cost and the maintenance cost are incurred and the price of the WIPS system is increased.
The present invention is directed to a wireless communication system capable of blocking connection between an unauthorized AP and a user terminal connected thereto through a blocking server without involving an operation of extracting an MIC when the unauthorized AP operates in a network environment based on the IEEE 802.11w standard method And an unauthorized AP blocking method and system.
According to an embodiment of the present invention, an unauthorized access point (AP) blocking system detects an unauthorized AP in an assigned network and transmits information of the detected unauthorized AP, And a control unit for identifying the unlicensed AP based on information of the unlicensed AP transmitted from the unauthorized AP detection sensor and for detecting a service function of the identified unauthorized AP so that connection between a user terminal connected to the identified unauthorized AP and the unlicensed AP is blocked, And a blocking server for performing an attack to stop the network.
An unauthorized AP blocking method, which is performed by an unauthorized AP (Access Point) blocking system according to another embodiment of the present invention, is characterized in that the unauthorized AP detecting sensor detects unauthorized APs in the network assigned to the unauthorized AP detecting sensor, Transmitting information of the unauthorized AP; And the blocking server identifies the unlicensed AP based on the information of the unlicensed AP sent from the unauthorized AP detection sensor, and the unauthorized AP detects that the connection between the unauthorized AP and the user terminal connected to the identified unauthorized AP is blocked, And performing an attack to stop the service function of the service.
According to another exemplary embodiment of the present invention, an unauthorized access point (AP) blocking system includes an unauthorized AP detection sensor, and when the unauthorized AP is detected in the network, Transmits a blocking frame based on an IEEE 802.11 standard scheme for blocking a connection between a user terminal connected to the unauthorized AP and a user terminal connected to the unauthorized AP, and when the connection between the user terminal and the unauthorized AP is not blocked by the blocking frame, Transmits the information of the unauthorized AP to the blocking server and requests a DoS (Denial of Service) attack against the unauthorized AP.
The system according to an embodiment of the present invention may block the unauthorized AP in the IEEE 802.11w network environment without acquiring the MIC by separately providing a blocking server that performs the blocking attack. This is because it is much easier to block between user terminals and unauthorized APs than to install an agent for acquiring MICs in each user terminal in order to acquire an MIC. Since the maintenance cost is relatively low, Intrusion Prevention System) without increasing the price of the system.
1 is a structural diagram showing a structure of an unauthorized AP blocking system according to an embodiment of the present invention.
2 is a conceptual diagram showing an operation principle of an unauthorized AP blocking system according to an embodiment of the present invention.
3 is a flowchart illustrating an unauthorized AP blocking method according to an embodiment of the present invention.
Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings, which will be readily apparent to those skilled in the art. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. In order to clearly illustrate the present invention, parts not related to the description are omitted, and similar parts are denoted by like reference characters throughout the specification.
Throughout the specification, when a part is referred to as being "connected" to another part, it includes not only "directly connected" but also "electrically connected" with another part in between . Also, when an element is referred to as "comprising ", it means that it can include other elements as well, without departing from the other elements unless specifically stated otherwise.
In this specification, the term " part " includes a unit realized by hardware, a unit realized by software, and a unit realized by using both. Further, one unit may be implemented using two or more hardware, or two or more units may be implemented by one hardware. On the other hand, 'to' is not limited to software or hardware, and 'to' may be configured to be an addressable storage medium and configured to play one or more processors. Thus, by way of example, 'parts' may refer to components such as software components, object-oriented software components, class components and task components, and processes, functions, , Subroutines, segments of program code, drivers, firmware, microcode, circuitry, data, databases, data structures, tables, arrays, and variables. The functions provided in the components and components may be further combined with a smaller number of components and components or further components and components. In addition, the components and components may be implemented to play back one or more CPUs in a device or a secure multimedia card.
The "user terminal" mentioned below may be implemented as a computer or a portable terminal capable of accessing a server or other terminal through a network. Here, the computer includes, for example, a notebook computer, a desktop computer, a laptop computer, and the like, each of which is equipped with a web browser (WEB Browser), and the portable terminal may be a wireless communication device , Personal Communication System (PCS), Global System for Mobile communications (GSM), Personal Digital Cellular (PDC), Personal Handyphone System (PHS), Personal Digital Assistant (PDA), International Mobile Telecommunication (IMT) Based wireless communication apparatuses such as a W-CDMA (Code Division Multiple Access) -2000, a W-CDMA (W-Code Division Multiple Access), and a Wibro (Wireless Broadband Internet) terminal. The term "network" may also be used in a wired network such as a local area network (LAN), a wide area network (WAN) or a value added network (VAN) And may be implemented in all kinds of wireless networks, such as communication networks.
Hereinafter, the IEEE 802.11 standard scheme refers to a standard technique used in a computer wireless network for a wireless LAN and a wireless local area network (Wi-Fi). IEEE 802.11 is a standard technology developed by the 11th Working Group of the IEEE / LAN / MAN Standards Committee of IEEE (IEEE 802.11), and although the term 802.11 and Wi-Fi are used interchangeably, the Wi-Fi Alliance refers to the term "Wi- 802.11 and Wi-Fi are not synonymous.
IEEE 802.11w refers to a modified version of IEEE 802.11 that improves the security of the Management Frame. Under the existing IEEE 802.11 network, MAC was vulnerable to security because it sent management information in unprotected frames. The IEEE 802.11w standard has been introduced to solve this problem.
An unauthorized AP (Rogue AP) is an unauthorized AP installed in a wired network for the convenience of the user or an AP installed intentionally by an attacker. This is a significant threat, and you should remove the rogue AP as it can break into your internal wired network without going through your company's security policies. If an ad-hoc network is constructed by connecting an AP without careful security by the user's carelessness, it may become more dangerous and cause a waste of network bandwidth by unauthorized persons.
Hereinafter, one embodiment of the present invention will be described in detail with reference to Fig. The system according to one embodiment of the present invention includes an unauthorized
The system according to an embodiment of the present invention is characterized by blocking unauthorized APs without grasping MIC (Message Integrity Code) in a network environment based on the IEEE 802.11w standard method. Unauthorized AP (Rogue AP) In the IEEE 802.11w based network environment, the MIC is a means for checking the integrity of the management frame. Therefore, if the MIC is not known even though the management frame is transmitted between the unauthorized AP and the user terminal connected to the unauthorized AP, the integrity authentication fails, and the unauthorized AP and the user terminal can not be intercepted.
However, the system of the embodiment of the present invention does not separately perform acquisition of the MIC when the unauthorized
That is, the system according to an embodiment of the present invention may block the unauthorized AP in the IEEE 802.11w network environment without acquiring the MIC by separately providing the
Hereinafter, the operation of the system according to an embodiment of the present invention will be described in detail with reference to FIG.
First, the unauthorized
The unauthorized
If the
Accordingly, when the connection between the
The
Specifically, the
The blocking
The attack performed by the blocking
The type of the DoS attack of the blocking
On the other hand, when a plurality of blocking
Then, the blocking
As a further embodiment, when the unauthorized
Next, referring to FIG. 3, an
The following method is performed by the
First, the unauthorized
Then, the
The unauthorized
If the blocking is not completed, it is considered that the
The
If the
The blocking
The
One embodiment of the present invention may also be embodied in the form of a recording medium including instructions executable by a computer, such as program modules, being executed by a computer. Computer readable media can be any available media that can be accessed by a computer and includes both volatile and nonvolatile media, removable and non-removable media. In addition, the computer-readable medium may include both computer storage media and communication media. Computer storage media includes both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Communication media typically includes any information delivery media, including computer readable instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave, or other transport mechanism.
While the methods and systems of the present invention have been described in connection with specific embodiments, some or all of those elements or operations may be implemented using a computer system having a general purpose hardware architecture.
It will be understood by those skilled in the art that the foregoing description of the present invention is for illustrative purposes only and that those of ordinary skill in the art can readily understand that various changes and modifications may be made without departing from the spirit or essential characteristics of the present invention. will be. It is therefore to be understood that the above-described embodiments are illustrative in all aspects and not restrictive. For example, each component described as a single entity may be distributed and implemented, and components described as being distributed may also be implemented in a combined form.
The scope of the present invention is defined by the appended claims rather than the detailed description and all changes or modifications derived from the meaning and scope of the claims and their equivalents are to be construed as being included within the scope of the present invention do.
100: Unauthorized AP detection sensor 110: Unauthorized AP
120: user terminal 200: management server
300: Blocking server
Claims (11)
An unauthorized AP detection sensor for detecting an unauthorized AP in the assigned network and transmitting the detected unauthorized AP information; And
A management server for comparing the stored normal AP list with the received unauthorized AP information and transmitting the unauthorized AP information to the blocking server when the unauthorized AP information is not included in the normal AP list; And
Detects unauthorized APs based on information of the unlicensed AP transmitted from the unauthorized AP detection sensor, and determines a service function of the identified unauthorized AP so that connection between a user terminal connected to the identified unauthorized AP and the unlicensed AP is blocked And a blocking server for performing an attack for stopping the network,
The unattended AP detection sensor includes:
And transmits a blocking frame for blocking a connection between a user terminal connected to the unlicensed AP and the unlicensed AP to the user terminal and the unlicensed AP when the unauthorized AP is detected, If the connection between the unauthorized AP and the unauthorized AP is not blocked, transmits a blocking request including information of the unauthorized AP to the management server,
The management server transmits the blocking request to the blocking server when the unauthorized AP is not a normal AP according to the blocking request,
Wherein the blocking server stops a service function of the unlicensed AP through a DoS (Denial of Service) attack.
The shielding frame includes:
And is an IEEE 802.11 standard method based frame.
The shielding frame includes:
Wherein the unauthorized AP is a frame generated based on a MAC address of the unauthorized AP and a user terminal connected to the unauthorized AP, the disassociation information, and the deauthentication information.
The shutdown server,
Generates attack result information after an attack on the unauthorized AP, and transmits the attack result information to be received by the unauthorized AP detection sensor.
The unauthorized AP detection sensor detects an unauthorized AP in the network assigned to the unauthorized AP detection sensor and transmits a blocking frame for blocking the connection between the user terminal connected to the unauthorized AP and the unauthorized AP, Transmitting a blocking request including information of the unauthorized AP to the management server when the connection between the user terminal and the unauthorized AP is not blocked by the blocking frame;
The management server compares the previously stored unlisted AP information with the previously stored unlisted AP information according to the blocking request and if the unapplied AP information is not included in the normal AP list, Transmitting; And
The blocking server identifies the unlicensed AP based on the information of the unlicensed AP transmitted from the unauthorized AP detection sensor and identifies the unauthorized AP so that the connection between the user terminal connected to the identified unauthorized AP and the unlicensed AP is blocked, And performing a DoS (Denial of Service) attack to stop the service function of the unauthorized AP.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR20150174816 | 2015-12-09 | ||
KR1020150174816 | 2015-12-09 |
Publications (1)
Publication Number | Publication Date |
---|---|
KR101747144B1 true KR101747144B1 (en) | 2017-06-14 |
Family
ID=59217920
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020160013495A KR101747144B1 (en) | 2015-12-09 | 2016-02-03 | Method and system for preventing rogue access point |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR101747144B1 (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR102102835B1 (en) * | 2019-03-26 | 2020-04-22 | 시큐어레터 주식회사 | Wips sensor |
KR102321683B1 (en) * | 2020-07-10 | 2021-11-04 | (주)노르마 | Method and apparatus capable of selectively blocking unauthorized bluetooth device |
-
2016
- 2016-02-03 KR KR1020160013495A patent/KR101747144B1/en active IP Right Grant
Non-Patent Citations (4)
Title |
---|
권혁찬, "차세대 무선랜 보안 기술", http://www.concert.or.kr/suf2015/, 2015.11.30* |
노병규 외 3인, ‘차세대 무선랜 보안 기술동향 및 이슈’, PM Issue Report 2013, 제3권 이슈3, 한국방송통신전파진흥원, 2013.* |
비특허문헌 - 구글(비인가 Rogue AP disassociation deauthentication 802.11w) |
정수환, "사설 무선랜 보안 위협 및 대응 방안", 2007.09.* |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR102102835B1 (en) * | 2019-03-26 | 2020-04-22 | 시큐어레터 주식회사 | Wips sensor |
KR102321683B1 (en) * | 2020-07-10 | 2021-11-04 | (주)노르마 | Method and apparatus capable of selectively blocking unauthorized bluetooth device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8726338B2 (en) | Dynamic threat protection in mobile networks | |
US8997201B2 (en) | Integrity monitoring to detect changes at network device for use in secure network access | |
US9055090B2 (en) | Network based device security and controls | |
KR101501669B1 (en) | Behavior detection system for detecting abnormal behavior | |
US10834596B2 (en) | Method for blocking connection in wireless intrusion prevention system and device therefor | |
US9503463B2 (en) | Detection of threats to networks, based on geographic location | |
JP5682083B2 (en) | Suspicious wireless access point detection | |
US10542020B2 (en) | Home network intrusion detection and prevention system and method | |
US20070005987A1 (en) | Wireless detection and/or containment of compromised electronic devices in multiple power states | |
US9426161B2 (en) | Device-based authentication for secure online access | |
US9124617B2 (en) | Social network protection system | |
US20190387408A1 (en) | Wireless access node detecting method, wireless network detecting system and server | |
EP3395102B1 (en) | Network management | |
WO2008001972A1 (en) | Method for proactively preventing wireless attacks and apparatus thereof | |
US20230232230A1 (en) | Zero Trust Wireless Monitoring - System and Method for Behavior Based Monitoring of Radio Frequency Environments | |
JP2010263310A (en) | Wireless communication device, wireless communication monitoring system, wireless communication method, and program | |
US11336621B2 (en) | WiFiwall | |
KR101747144B1 (en) | Method and system for preventing rogue access point | |
US9100429B2 (en) | Apparatus for analyzing vulnerability of wireless local area network | |
Kim et al. | A technical survey on methods for detecting rogue access points | |
US20230007018A1 (en) | Dynamic multi-network security controls | |
Nair et al. | Intrusion detection in Bluetooth enabled mobile phones | |
KR102366574B1 (en) | Wireless Intrusion Prevention Methods | |
EP2899940B1 (en) | Connection method for secure connecting of a mobile device system to a network | |
Korolkov et al. | Analysis of the wireless clients security from dos attacks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
E701 | Decision to grant or registration of patent right | ||
GRNT | Written decision to grant |